weilite/webdav: init

2025-04-06 22:21:16 +08:00 · 2025-04-06 22:21:16 +08:00 · c2a8e74e50
commit c2a8e74e50
parent ea47988011
5 changed files with 65 additions and 14 deletions
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@ -7,5 +7,6 @@
    ./immich.nix
    ./jellyfin.nix
    ./transmission.nix
+    ./webdav.nix
  ];
 }
--- a/machines/weilite/services/immich.nix
+++ b/machines/weilite/services/immich.nix
@ -86,16 +86,6 @@ in
      '';
    };

-    systemd.mounts = [
-      {
-        what = "originals";
-        where = "/mnt/immich/external-library/xin";
-        type = "virtiofs";
-        options = "ro,nodev,nosuid";
-        wantedBy = [ "immich-server.service" ];
-      }
-    ];
-
    systemd.timers.immich-auto-stack = {
      enable = true;
      wantedBy = [ "immich-server.service" ];
@ -135,8 +125,8 @@ in

    systemd.services.immich-server = {
      serviceConfig = {
-        ReadWritePaths = [
-          "/mnt/immich/external-library/xin"
+        BindReadOnlyPaths = [
+          "/mnt/photos/xin/originals:/mnt/immich/external-library/xin"
        ];
        Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}";
      };
@ -161,8 +151,11 @@ in
    users.users.immich.extraGroups = [
      "video"
      "render"
+      "privimg"
    ];

+    users.groups.privimg = { };
+
    users.groups.immich_auto_stack = { };
    users.users.immich_auto_stack = {
      isSystemUser = true;
--- a/machines/weilite/services/webdav.nix
+++ b/machines/weilite/services/webdav.nix
@ -0,0 +1,47 @@
+{ config, ... }:
+{
+
+  sops.secrets = {
+    "webdav/photosync/password" = { };
+  };
+
+  sops.templates."webdav.env" = {
+    content = ''
+      PHOTOSYNC_PASSWORD=${config.sops.placeholder."webdav/photosync/password"}
+    '';
+  };
+
+  services.webdav = {
+    enable = true;
+    settings = {
+      address = "127.0.0.1";
+      port = "16065";
+      permissions = "CRUD";
+      behindProxy = true;
+      users = [
+        {
+          username = "photosync";
+          password = "{env}PHOTOSYNC_PASSWORD";
+        }
+      ];
+    };
+    group = "privimg";
+    environmentFile = config.sops.templates."webdav.env".path;
+  };
+
+  systemd.services.webdav.serviceConfig = {
+    BindPaths = [
+      "/mnt/photos/xin/originals:%t/webdav/photosync"
+    ];
+    RuntimeDirectory = "webdav";
+    WorkingDirectory = "%t/webdav";
+  };
+
+  users.users."${config.services.webdav.user}".extraGroups = [
+    "privimg"
+  ];
+
+  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:6065".extraConfig = ''
+    reverse_proxy 127.0.0.1:16065
+  '';
+}